Your message dated Mon, 20 Feb 2012 00:33:47 -0600
with message-id <20120220063347.ga27...@gwolf.org>
and subject line Re: Bug#647205: cherokee: Admin password generation uses time 
and PID, allows attackers to brute-force it
has caused the Debian Bug report #647205,
regarding cherokee: Admin password generation uses time and PID, allows 
attackers to brute-force it
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
647205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647205
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cherokee
Version: 1.2.100-1
Severity: grave
Tags: security
Justification: user security hole

CVE issue CVE-2011-2190 points out that the temporary admin password
generation function is seeded by the time and PID, which allows an
attacker to brute-force it. Yes, in production systems cherokee-admin
should be quite short-lived, but administrators can leave it running
for long periods, opening a window to this attack. 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190

An example attack has been posted to the RedHat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190

This bug has been filed in the upstream bugtracker:

http://code.google.com/p/cherokee/issues/detail?id=1295

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cherokee depends on:
ii  libc6                2.13-21  
ii  libcherokee-base0    1.2.100-1
ii  libcherokee-server0  1.2.100-1
ii  libssl1.0.0          1.0.0e-2 
ii  logrotate            3.7.8-6  

Versions of packages cherokee recommends:
ii  cherokee-admin  1.2.100-1
ii  spawn-fcgi      1.6.3-1  

Versions of packages cherokee suggests:
ii  cherokee-doc               1.2.100-1
ii  libcherokee-mod-geoip      1.2.100-1
ii  libcherokee-mod-ldap       1.2.100-1
ii  libcherokee-mod-libssl     1.2.100-1
ii  libcherokee-mod-mysql      1.2.100-1
ii  libcherokee-mod-rrd        1.2.100-1
ii  libcherokee-mod-streaming  1.2.100-1

-- Configuration Files:
/etc/cherokee/cherokee.conf changed [not included]

-- debconf-show failed



--- End Message ---
--- Begin Message ---
Version: 1.0.14-1

Moritz Mühlenhoff dijo [Sun, Feb 19, 2012 at 08:59:20PM +0100]:
> Is this fixed in unstable? If so, in which version?

Yes, the bug was patched in version 1.0.10 (but I only uploaded it to
Debian until 1.0.14). The fix was taken from the upstream SVN tree -
Which has migrated to Github, hence the URL I mentioned in my patch is
no longer valid.

But yes, the bug is no longer present in any package shipped in
Debian.


--- End Message ---

Reply via email to